Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

ENISA launches investigation on data breach notification rules

Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

January 16, 2011

A new European Union study has identified Internet security, risk prioritisation, law enforcement and a need for more and better resources as key issues in applying new data breach notification rules in Europe.

ENISA, the European Unions’s new Internet security agency, launched its investigation on data breach notification rules against a series of new security events and a steadily rising incident rate of personal information disclosure breaches.

ENISA identified key concerns from both telecom operators and the Data Protection Authorities (DPA) in applying a recent ePrivacy Directive that applied security breach notification rules to the electronic communications industry.

The agency hopes this new research will help to develop best practices and new processes on breach notification as well as informing ministerial decisions on whether EU data breach disclosure rules first applied to telcos and Internet Service Providers ought to extended to financial service firms and other sectors of the economy in the EU.

Key concerns raised by telecom operators and DPAs interviewed by ENISA include:

  • Risk Prioritisation –- Interested parties want breaches categorized according to risk levels to avoid notification fatigue. Graded responses should be applied depending an the level of risk. A one size fits all approach would be counterproductive.

  • Communication Channels -– Operators wanted assurances that applying by breach notification rules and security reporting slips would not result in damaging their brands. The concern is that those that report issues, in compliance with the new rules, will be punished by earning a reputation for poor security while those that do nothing will avoid tarnishing their reputation.

  • Resources -- Several regulatory authorities have other priorities beyond the handling of breach notification and there were concerns this could lead to over-stretching of resources, leading to possible issues in law enforcement and other areas.

  • Reporting Delay -- The report identified a big disconnect between service providers and regulators on deadlines for reporting security breaches. Regulators want short deadlines whereas service providers wanted to be able to focus their resources on solving the problem before they dealt with the regulatory fallout of any security breach.

  • Content of Notifications -- Another huge area of disagreement: operators want to make sure the notification content avoided unduly alarming customers, who might be inclined to think the worst about any security breach. Regulators, meanwhile, advocated complete transparency.
  • The agency intends to use its research in analyzing the possibility for extending the general obligation of data breach notification to other segments as well, such as the financial sector, health care and small businesses.

    The issue of security breaches will be discussed at an ENISA-organized workshop in Brussels next Monday, on Jan. 24.

    Causes for concern

    On Jan. 12, a German Internet security researcher was successful in tapping into Amazon's Cloud Computing Services to crack open WiFi passwords in a fraction of the time and for a tiny percentage of the cost of using his own equipment.

    Thomas Roth used custom software running on Amazon's Elastic Compute (EC) Cloud service to break into a WPA-PSK protected network in under 21 minutes. With improvements to his software, he said he could even cut the time down to about 6 minutes.

    With EC2 computers available for about twenty-eight cents per minute, the cost of the hack attack came to just $1.68.

    “People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a lot of money to do so. But it's relatively easy to brute force them,” said Roth.

    Roth is the same researcher who in November used Amazon's cloud services to brute force SHA-1 hashes as well. He said he cracked fourteen hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes.

    Roth added that at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made good use of “Cluster GPU Instances” of Amazon's EC2 service.

    As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a specific network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.

    Roth's latest software uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a jumbo computer. He is scheduled to present his findings at next week's Black Hat security conference in Washington, DC.

    Add to     Digg this story Digg this    Get a great Linux dedicated server for less than $4 a day!

    Share on Twitter

    Source: ENISA.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    | Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Do it right this time. Click here and we will take good care of you!

    Get your Linux or Windows dedicated server today.